This is fine and I can deal with the ugliness of using {0} and {1} in the format string in place of my curly braces except that now my user input cannot use curly braces either. Is there a way to either escape the curly braces in my format string, or a good way to turn the curly braces in the user code into {0}'s and {1}'s?

BTW, I know that this kind of thing is a security problem waiting to happen, but this is a Windows Forms app that's for internal use on systems that are not connected to the net so the risk is acceptable in this situation.

It's a security problem because the code a user might execute could be literally anything, not because it's connected to the 'net.
–
MusiGenesisOct 2 '08 at 3:27

Actually no, just because the code could be anything doesn't give the user the ability to do anything he couldn't do before. The app runs in the same context as the user and only someone with access to the machine it's running on can introduce code.
–
Jon NortonOct 9 '08 at 19:42